b'DEPARTMENT OF HOMELAND SECURITY\n\n   Office of Inspector General\n\n\n Independent Auditor\'s Report on OFM\'s\n\n      FY 2008 Mission Action Plans\n\n\x0c                                                              Office ofImpector General\n\n                                                              U.S. Department of Homeland Security\n                                                              Washington, DC 25028\n\n\n\n\n                                                               Homeland\n                                                               Security\n                                        July 9, 2008\n\n                                           Preface\n\n\nThe Department of Homeland Security (DHS) Office ofInspector General (OIG) was\nestablished by the Homeland Security Act of2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThe attached report presents the results ofDHS\' Office of Financial Management fiscal\nyear 2008 Mission Action Plans audit. We contracted with the independent public\naccounting firm KPMG LLP (KPMG) to perform the audit. The contract required that\nKPMG perform its audit according to generally accepted government auditing standards.\nKPMG is responsible for the attached independent auditor\'s report and the conclusions\nexpressed in it.\n\nThe recommendations herein have been discussed in draft with those responsible for\nimplementation. It is our hope that this report will result in more effective, efficient, and\neconomical operations. We express our appreciation to all of those who contributed to\nthe preparation of this report.\n\n\n\n\n                                       Richard L. Skinner\n\n                                       Inspector General\n\n\x0c                               KPMG LLP                                                             Telephone 2025333000\n                               2001 M Street, NW                                                    Fax       202533 8500\n                               Washington, DC 20036                                                 Internet  www.us.kpmg.com\n\n\n\n\nFebruary 22, 2008\n\n\nMs. Anne Richards\nAssistant Inspector General for Audit\nDepartment of Homeland Security, Office of the Inspector General\n\nMr. David Norquist\nChief Financial Officer\nDepartment of Homeland Security\n\n\nThis report presents the results of our work conducted to address the performance audit objectives relative\nto the Department of Homeland Security\'s (DHS or the Department) Mission Action Plans (MAPs)\ndeveloped to address the internal control deficiencies at the Office of Financial Management (OFM).\nThese deficiencies were identified by management and/or reported in KPMG LLP (KPMG) Independent\nAuditors\' Report included in the Department\'s fiscal year 2007 Annual Financial Report (herein referred\nto as the "FY 2007 Independent Auditors\' Report").\n\nThis performance audit is the third in a series of four performance audits that the Department\'s Office of\nInspector General (OIG) has engaged us to perform related to the Department\'s fiscal year 2008 MAPs\nfor use in developing the Department\'s Internal Controls Over Financial Reporting Playbook (ICOFR\nPlaybook). This performance audit was designed to meet the objectives identified in the Objectives,\nScope, and Methodology section of this report. Our audit procedures were performed using draft MAPs\nprovided to us on January 4, 2008. Interviews with DHS / OFM management and other testwork, was\nperformed at various times through February 8, 2008, and our results reported herein are as of February\n22,2008.\n\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings based on\nour audit objectives.\n\nThe performance audit did not constitute an audit of financial statements in accordance with GAGAS.\nKPMG was not engaged to, and did not, render an opinion on the Department\'s or OFM\'s internal\ncontrols over financial reporting or over financial management systems (for purposes of Office of\nManagement and Budget Circular No. A-127, Financial Management Systems, July 23, 1993, as revised).\nKPMG cautions that projecting the results of our evaluation to future periods is subject to the risks\nbecause of changes in conditions or because compliance with controls may deteriorate.\n\n\n\n\n                                   KP;vlG !....LP, a U S iln\',!::ci (;abHy par,nersh\'p,:s the U S\n                                   cn8rnber fl;rn of KPMG I"te\'"natlonal a SWISS cooperat\'v~\n\x0cTable of Contents\n\nEXECUTIVE SUMMARY                         2\n\nBACKGROUND                                4\n\nOBJECTIVE, SCOPE, AND METHODOLOGY        .4\n\nFINDINGS AND RECOMMENDATIONS              6\n\nMANAGEMENT RESPONSE TO REPORT            10\n\nKEY DOCUMENTS AND DEFINITIONS            11\n\n\n\n\n\n                                    1\n\n\x0cEXECUTIVE SUMMARY\n\nThe Department of Homeland Security (DHS or the Department) has identified weaknesses in internal\ncontrol over financial reporting through its annual assessment conducted pursuant to Office of\nManagement and Budget (OMB) Circular No. A-123, Management\'s Responsibility for Internal Control,\nand compliance with the Federal Managers\' Financial Integrity Act (FMFIA). Some deficiencies are\nmaterial weaknesses identified by DHS\' external [mancial statement auditor. Begin.o.ing in 2006, the\nDepartment launched a comprehensive corrective action plan to remediate known internal control\ndeficiencies. The plan is documented in the Internal Controls Over Financial Reporting Playbook\n(ICOFR Playbook). The Mission Action Plan (MAP) is a key element of the ICOFR Playbook that\ndocuments the remediation actions planned for each control deficiency at the DHS component level. The\nMAP provides specific actions, timeframes, key milestones, assignment of responsibility, and the timing\nof corrective action validation.                                               .       .\nThe objective of this performance audit was to evaluate and report on the status of the detailed MAP\nprepared by the Office of Financial Management (OFM) to correct internal control deficiencies over\n[mancial reporting. We conducted our audit in accordance with the standards applicable to such\' audits\ncontained in the Government Auditing Standards, issued by the Comptroller General of the United States.\nOur audit was performed using specific criteria to assess the MAP development process used by OFM,\nand evaluate the MAPs submitted by OFM to the DHS Chief Financial Officer to be included in the 2008\nICOFR Playbook.                    .\nThe evaluation criteria were developed from a variety of sources including technical guidance published\nby OMB, the Government Accountability Office, and applicable laws and regulations. We also\nconsidered DHS\' policies and guidance, and input from the Office of Inspector General when designing\nevaluation criteria. Our evaluation criteria are:\n    1.\t Identification (of the root cause) - Identification of the appropriate underlying root cause that is\n        causing the internal control deficiency condition(s).\n    2.\t Development (of the MAP) - Clear action steps that address the root cause, and attainable and\n        measurable milestones at an appropriate level of detail.\n    3.\t Accountability (for execution of the MAP) - The individual MAP owner is responsible for its\n        successful implementation, ensuring that milestones are achieved and that the validation phase is\n        completed.\n    4.\t Verification and validation - The MAP includes written procedures / to verify successful\n        implementation of the MAP, a means to track progress throughout the MAP lifecycle, and\n        reporting results when complete.\nWhile OFM prepared the MAP, most of the control deficiencies extend to the Department and its\ncomponents, outside of OFM\'s direct authority or responsibility. Some of the underlying issues leading\nto these control deficiencies have existed since the Department\'s inception. Two significant control\ndeficiencies caused DHS management to qualify the 2007 Secretary\'s Assurance Statement, and were\nreported as material weaknesses in the FY 2007 Independent Auditors\' Report. The two control\ndeficiencies were (1) parent/child reporting at the Office of Health Affairs (OHA), and (2) reconciliation\nof intragovemmental balances and transactions.\nWe noted that the OFM MAP was written to broadly cover all control deficiencies and compliance with\nlaws and regulations findings identified and reported in the FY 2007 Independent Auditors\' Report, and\ndid not provide specific details on individual control weaknesses. The root causes identifIed were not\nlinked to specific control deficiencies, management financial statement assertions and did not fully\ndescribe the issue, e.g., why the control deficiency occurred, or the unique challenges that must be\nconsidered in development of an effective corrective action plan.\n\n\n\n                                                    2\n\x0cThe MAP does not identify the unique issues affecting parent/child accounting and reporting for OHA\ntransactions, or intragovernrnental reconciliations and the corrective actions; and th~ MAP does not\nsufficiently address the depth of the issues. For example, the MAP does not include procedures that must\nbe performed by the other Federal agency (who is the recipient ofOHA funds), before OHA can properly\nreport transactions and fmancial position, in compliance with generally accepted accounting principles.\nThe MAP does not include procedures that wiil be performed to resolve material differences in trading\npartner balances in a timely manner, after they are identified.\nIn addition, the MAP does not recognize several complicating factors, affects of a complex business\nenvironment, and various infrastructure issues, such as\n    \xe2\x80\xa2\t   Timely identification and commitment of resources to new accounting requirements,\n    \xe2\x80\xa2\t   Lack of sufficient financial management for new DHS programs and Directorates, or\n    \xe2\x80\xa2\t   Consideration of necessary financial data and requirements when negotiating interagency or\n         intradepartment agreements, before the execution of the agreement; and\n    \xe2\x80\xa2\t   The interdependencies with other Departmental control deficiencies including deficiencies in\n         other DHS components, or the degree of reliance and involvement needed from other Federal\n         agencies. For example, one root cause cited in the MAP is the quality of data received from the\n         components.\n\nWe recommend that OFM complete documentation of the root cause analysis to identify the underlying\ncauses of the material weakness, with an increased emphasis placed on the issues that contributed to\nqualifications in the Department\'s FY 2007 financial statements. Each significant control deficiency\nshould have its own MAP. MAPs could be improved by:\n\n    \xe2\x80\xa2\t   Expanding the "Root Cause" section of the MAP to adequately describe the significant\n         contributing conditions of the internal control deficiencies, and clearly link the issue, the reasons\n         why the control deficiency occurred, and the unique challenges that must be considered in\n         development of an effective corrective action plan;\n    \xe2\x80\xa2\t   Identifying critical interdependencies with other Departmental control deficiencies including\n         deficiencies in other DRS components or other Federal agencies. Seek input from DHS\n         components, and if necessary obtain input from other Federal agencies, to ensure full\n         consideration of all interdependencies; and\n    \xe2\x80\xa2\t   Consider the broader issues affecting the control deficiencies, such as the need for policies and\n         procedures to identify new financial accounting and reporting requirements; financial\n         management infrastructure whenever new DHS offices, programs, or Directorates are created; the\n         financial data and accounting requirements when negotiating interagency or intradepartmental\n         agreements, before the execution of the agreement.\n\nRegarding the OHA financial accounting and reporting, and reconciliation of intragovernmental balances\nand transactions we recommend that OFM:\n    \xe2\x80\xa2\t Include procedures that must be performed by, or in cooperation with, the other Federal agency.\n        These procedures should include the valuation and presentation of assets, liabilities and net\n        position ofthe funds maintained by the other Federal agency (the "child" agency), that are outside\n        the control of DHS.\n    \xe2\x80\xa2\t Include procedures that will be performed to resolve material differences in trading partner\n        balances in a timely manner, after they are identified;\n\n\n\n\n                                                      3\n\n\x0cBACKGROUND\n\nThe Department of Homeland Security (DHS or the Department) and the Office of the Chief Financial\nOfficer (OCFO) recognize that deficiencies in internal control over financial reporting exist. The internal\ncontrol deficiencies are reported by DRS management in its annual Secretary\'s Assurance Statements,\nissued pursuant to Office of Management and Budget (OMB) Circular No. A-l23, Management\'s\nResponsibility for Internal Control. The Secretary\'s Assurance Statement and the findings of the external\nauditor are reported in the Department\'s fiscal year 2007 Annual Financial Report (AFR). The conditions\ncausing the control weaknesses are diverse and complex. Many conditions are systemic, inherited with\nlegacy financial processes and information technology (IT) systems at the time of the Department\'s\nformation in 2003. The evolution of the Department\'s mission, programs, component restructuring, and\nother infrastructure changes has made remediation of these control weaknesses very challenging. To\nmeet this challenge, the Department\'s Secretary, Chief Financial Officer, and financial management in the\nDHS components have adopted a comprehensive strategy to implement corrective actions beginning in\nfiscal year (FY) 2007 and continuing in FY 2008.\n\nThe DHS OCFO, Internal Control Program Management Office (ICPMO) is primarily responsible for the\ndevelopment and implementation of the Department\'s strategy to implement corrective action plans. The\nICPMO has documented its strategy and other related plans to remediate identified internal control\ndeficiencies in the Internal Controls Over Financial Reporting Playbook (ICOFR Playbook).\n\nIn 2006, the Department issued Management Directive l030, Corrective Action Plans, and\' the\nDepartment enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial\nManagement Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the\nDepartment and its components developed Mission Action Plans (MAP) that describe the corrective\nactions to be implemented. The Department continued to utilize Electronic Program Management Office\n(ePMO), a Web-based software application, to manage the collection and reporting of MAP information.\n\nThe MAP Guide is applicable to all Department components, including .OCFO\'s Qffice of Financial\nManagement (OFM), and outlines the policies and procedures necessary to develop fiscal year 2008\nDepartment MAPs. All components were required to submit MAPs, or MAP updates, for any new or\nexisting internal control deficiencies over financial reporting, identified by management or the external\nauditors, for input into to the fiscal year 2008 ICOFR Playbook.\n\nTo comply with Management Directive l030 and the MAP Guide, OFM prepared a detailed MAP for FY\n2008 to address the internal control deficiencies over financial reporting reported as material weaknesses\nin the 2007 Independent Auditor\'s Report. Within the material weakness, two control deficiencies lead to\nqualifications in the FY 2007 Independent Auditors\' Report the Departmental level. These control\ndeficiencies were; parent/child reporting at the Office of Health Affairs (OHA), and intragovemmental\nbalances and reconciliations. These control deficiencies are described in the Findings section of our\nreport.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjectives\nThe obj~ctive of this performance audit was to evaluate and report on the status of the detailed MAP\nprepared byOFM to correct internal control deficiencies over financial reporting. Our evaluation was\nperformed using specific criteria, described in the Methodology section below, to assess the process used\nto develop and document OFM\'s FY 2008 MAPs. We did not evaluate the outcome of the MAP process,\nor any corrective actions taken by management during our audit, and our findings should not be used to\n\n\n\n\n                                                    4\n\n\x0cproject ultimate results from MAP implementation. Recommendations are provided to help address\nfindings identified during our performance audit.\n\nScope\nThe scope of this performance audit includes OFM\'s FY 2008 MAP developed to address certain\nfinancial reporting material weaknesses that exist throughQut the Department at OFM as reported in the\nSecretary\'s FY 2007 Assurance Statement, and in the FY 2007 DRS Independent Auditors\' Report. The\nMAP subjected to our performance audit was provided to us by the OCFO, on behalf of OFM, on January\n4, 2008. The scope of this performance audit did not include procedures on any of the MAPs associated\nwith other control deficiencies existing at OFM as reported in the FY 2007 Independent Auditors\' Report.\nOur audit was performed between the January 4, 2008 and February 6, 2008. We issued our report on\nFebruary 29, 2008.\n\nMethodology\nWe conducted this performance audit in accordance with the standards applicable to such audits contained\nin the Government Auditing Standards, issued by the Comptroller General of the United States. Our\nmethodology consisted of the following four-phased approach:\n\nPhase I - Project Initiation and Planning - We attended meetings with the Department\'s Office of\nInspector General (OIG), OCFO, and OFM to review the performance audit objectives and scope,\ndescribe our approach, communicate data requests, and gain an understanding of the status of OFM 2008,\nMAPs.\n\nPhase II - Data Gathering ~ We performed interviews with accounting and finance management and\nstaff at OFM and OCFO. Through these interviews,\' we gained an understanding of the process used to\ndevelop the MAP, including key inputs and data used, assumptions made, and reasons for conclusions\nreached. The interviews focused on the analysis performed by OFM to identify the underlying problems\ncreating the internal control weakness (root cause), the planned corrective actions, the critical milestones\nchosen for measurement, and the methods used to monitor and validate progress in meeting the\nmilestones.. We discussed OFM\'s resource allocation strategy employed in the development and eventual\nimplementation of the MAP, including the utilization of contractors to supplement staff as needed and the\nuse of specialists, if necessary. We conducted meetings with the Department\'s OIG to identify and agree\nto the criteria used to evaluate the status of the MAP (as defined below).\n\nWe performed reviews of key documents and supporting information provided to us. Our documentation\nreviews included:\n    \xe2\x80\xa2\t The OFM MAP (Le., the MAP Detail and Summary Reports) and any underlying supporting\n       documentation provided by OFM.\n    \xe2\x80\xa2\t The Notice of Findings and Recommendations (NFRs) issued during the FY 2007 financial\n       statement audit by the external auditors that supported the internal control findings reported in the\n       FY 2007 Independent Auditors\' Report.\n    \xe2\x80\xa2\t Information provided by OFM directors regarding the allocation of resources related to the MAPs,\n       including the utilization of contractors.\n    \xe2\x80\xa2\t The Annual Component Assurance statements provided pursuant to the requirements of OMB\n       Circular No. A-123.\n    \xe2\x80\xa2\t The ICOFR Playbook, MD 1030, the MAP Guide, and existing internal control monitoring\n       guidance (e.g., OMBCircularNo. A-123).\n\nPhase III - Analysis Using Established Criteria - Our evaluation criteria were developed from a variety\nof sources including technical guidance published by OMB (e.g., Circular No. A-123) and the\n\n\n\n\n                                                     5\n\n\x0cGovernment Accountability Office (e.g., Standards for Internal Control in the Federal Government), and\napplicable Federal laws and regulations (e.g., Federal Managers\' Financial Integrity Act of 1982). We\nalso considered DHS\' policies and guidance, such as the MAP Guide and the ICOFR Playbook, and input\nfrom the DIG. Our evaluation criteria were:\n\n1.\t Identification (of the root\xc2\xb7 cause) - Identification of the appropriate underlying root cause that is\n    causing the internal control deficiency. A comprehensive analysis typically includes a full\n    assessment of the business processes, data flows, and information systems that drive the\n    transactions/activities associated with the accounting process where the internal control deficiencies\n    are believed to exist. A thorough root cause analysis should include:\n    a) Research to discover why, when, and how the condition occurred - what went wrong and why?\n    b) Investigation to determine if the problem is procedural or human resources or both (processes,\n        and lor people).\n    c) An evaluation to determine if IT system functionality is contributing to the problem, and if IT\n        system modifications could be part of the remediation.\n    d) An evaluation of internal controls, including the existence of compensating controls that may\n        mitigate the deficiency.\n\n2.\t Development (of the MAP) - The MAP includes action steps that address the root cause, and\n    attainable and measurable milestones at an appropriate level of granularity. Milestones should enable\n    independent analysis of a MAP\'s effectiveness in remediating root causes, and provide MAP users\n    with insight on the status of the MAP\'s implementation. For example, they should enable a user to\n    determine if the appropriate level of resources to execute a milestone is available and identify\n    potential gaps in milestones (e.g., a contractor may need to be hired before a specific milestone can be\n    achieved).\n\n3.\t Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and\n    assigned. The individual MAP owner is responsible for its successful implementation, ensuring that\n    milestones are achieved, and validation of results.\n\n4.\t Verification and Validation - The MAP includes written procedures that verify successful\n    implementation of the MAP, provide a means to track progress throughout the MAP lifecycle, and\n    require reporting of results when complete. These activities should include documentation reviews,\n    work observations, and performance testing that are maintained for internal OMB Circular No. A-123\n    review and external audit.\n\nPhase IV - Findings and Recommendations - After conducting our Phase III procedures and applying the\nevaluation criteria to the MAPs, we formulated our findings and recommendations. The findings\nrepresent areas for potential improvement that could negatively affect OFM\'s remediation of the control\ndeficiency if the MAP is executed as designed.\n\nFINDINGS AND RECOMMENDATIONS\n\nOur findings and recommendations presented below result from our.audit of draft MAPs provided to us\non January 4, 2008. We concluded our audit procedures on February 6, 2008. Management has\nrepresented that some findings and recommendations have been addressed by modifications made to the\nICOFR Playbook after the end of our audit fieldwork. However, we did not audit modifications to the\nICOFR Playbook made after the end of our audit fieldwork. Please see Management\'s Response for\nadditional comments related to disposition ofourfindings and recommendations.\n\n\n\n\n                                                     6\n\x0cFindings\nOFM prepared and submitted a MAP to the OCFO in accordance the MAP Guide. The OFM MAP\naddresses the financial reporting process where internal control deficiencies existed within the\nDepartment and OCFO, at the end of fiscal year 2007. OFM prepared the MAP however, most of the\ncontrol deficiencies extend to the Department and its components, outside of OFM\'s direct authority or\nresponsibility. Some of the underlying issues leading to these control deficiencies have existed since the\nDepartment\'s inception. Correction of these deficiencies is difficult because they require substantial\ninfrastructure and/or interaction with other Federal agencies. During our meetings, OFM management\nexhibited a clear understanding of the issues, and described corrective actions that were not always\ndocumented in the MAP. OFM has also implemented a MAP monitoring and validation process that\nincludes periodic testing by an outside contractor.\n\nTwo significant control deficiencies caused DHS management to qualify the 2007 Secretary\'s Assurance\nStatement, and were reported as material weaknesses in the FY 2007 Independent Auditors\' Report. The\ntwo control deficiencies were:\n\n1.\t Parent/Child Reporting at the Office of Health Affairs COHA) - OHA was established during the\n    Department\'s Post-Katrina reorganization in 2007. The OHA program office was created without the\n    financial management infrastructure to support the program. The accounting and financial reporting\n    requirements were not adequately defined and assigned in the early stages of the program\'s design\n    and development. OHA was reliant on volunteered time from accountants in other components, often\n    resulting in incomplete and untimely accounting for financial transactions. The most complex\n    accounting and reporting requirements, e.g., accounting for parent/child transactions with another\n    Federal agency pursuant to OMB Circular No. A-136, Firiancial Reporting Requirements, were not\n    addressed for more than nine months, until OFM assumed the responsibility late in FY 2007.\n    However, the complexity of the program and difficulties in obtaining data from the other federal\n    agency prevented OFM from completing their work prior to September 30, 2007. Consequently,\n    OHA was unable to provide sufficient evidential matter or make knowledgeable representations of\n    facts and circumstances, that support transactions and account balances of OHA, as presented in the\n    Department\'s September 30, 2007 balance sheet. These balances totaled more than $3 billion at\n    September 30, 2007.\n\n2.\t Intragovernmental Balances and Reconciliations _. DHS has not timely or completely reconciled\n    intragovernmental balances with other Federal entities since the Department\'s inception.\n    Consequently, DHS\' Material Difference/Status of Disposition Certification Report, submitted\n    quartefly to the U.S. Treasury frequently shows differences in excess of $1 billion. Some of the\n    differences are identified as errors and unreconciled amounts. The differences are caused by a variety\n    of circumstances existing in the DHS components and other Federal agencies. This condition\n    affected DHS\' ability to accurately report transactions with Federal government trading partners in\n    the Department\'s financial statements at September 30, 2007, and previous years.\n\nOur findings related to the OFM MAP are:\n\xe2\x80\xa2\t   A single OFM MAP is broadly written to cover all control deficiencies and non-compliance with laws\n     and regulations findings reported in the FY 2007 Independent Auditors\' Report. Individual control\n     deficiencies, such as those described above, are not separately identified and addressed in the MAP.\n     Consequently, the reader is not able determine the underlying issues, root causes, linkage to the\n     financial statement assertions, or cross-reference to the specific corrective milestones for each control\n     deficiency.\n\n\n\n\n                                                      7\n\n\x0c\xe2\x80\xa2\t   The root causes identified were general, e.g., roles and responsibilities, policies and procedures,\n     monitoring, quality of data, and staff resources. Specifically, the root cause analysis:\n     a)\t Is not linked to specific control deficiencies, management financial statement assertions, and does\n         not fully communicate a complete description of (1) the issue(s), (2) why the control deficiency\n         occurred, and (3) the unique challenges that must be considered in development of an effective\n         corrective action plan.\n     b)\t Was often listed as a condition or symptom of the problem, e.g., "more complete, accurate and\n         timely input data is needed" or "in FY 2007 one component submitted more than 40\n         restatements."\n     c)\t Does not clearly address the criteria defmed in the Methodology section above and does not\n         address the true underlying issues. For example, regarding item b) above, why was incomplete,\n         inaccurate, and untimely\xc2\xb7 input data submitted from the components, and why did a component\n         need to submit 40 restatements?\n     d)\t Is not supported by documentation of the analysis performed, e.g., research performed, personnel\n         consulted, supervisory review, and independent corroboration of conclusions.\n\xe2\x80\xa2\t   The MAP does not identifY the unique issues affecting aHA parent/child accounting and reporting\n     for aHA transactions, or intragovernmental recon~iliations and the corrective actions; and the MAP\n     does not sufficiently address the depth of the issues. For example the MAP does not:\n     a)\t Include procedures that must be performed in cooperation with or by the other Federal agency\n         (who is the recipient of aHA funds), before aHA can properly report transactions and financial\n         position, in compliance with generally accepted accounting principles.\n     b)\t Include procedures that will be performed to resolve material differences in trading partner\n         balances in a timely manner, after they are identified. The MAP does not recognize the\n         complicating factors that interfere with timely intergovernmental reconciliations, e.g., the\n         adequacy of internal financial systems and accounting processes of some components, or\n         reconciliations with trading partners that are unable to verifY the reliability of their data.\n     c)\t Adequately identifY and address the effects of complex business environment and infrastructure\n         issues, such as;\n                timely identification and commitment of resources to address new accounting\n                requirements, e.g., OMB Circular No. A-136, accounting and reporting for parent/child\n                transactions in 2007 and beyond. Historically, changes in accounting principles and\n                technical financial reporting requirements have not been identified early, and the proper\n                accounting processes established before the changes become effective.\n                Lack of sufficient financial management and supporting financial infrastructure for new\n                DHS programs and Directorates. DHS operations are restructured, or new programs,\n                offices, Directorates are sometimes created, without necessary advance planning for\n                financial management and infrastructure.\n                Consideration of necessary financial data and reporting requirements when negotiating\n                interagency or intradepartmental agreements, before the execution of the agreement.\n                Interagency agreements are sometimes entered in~o without adequate consideration of the\n                accounting requirements and verification of data.\n\n     \xe2\x80\xa2\t The MAP does not address interdependencies with other Departmental control deficiencies,\n        including deficiencies in other DHS components, or the degree of reliance and involvement\n        needed from other Federal agencies. For example, one root cause cited in the MAP is the quality\n\n\n\n                                                     8\n\n\x0c        of data received from the components. OFM is reliant on data from components whose\n        management is unable to provide assurances regarding the reliability if its data. Full remediation\n        of departmental issues may be limited to advances made by components in correcting their\n        material weaknesses. The MAP does not recognize that limitations exist in OFM\'s ability to\n        assure the completeness and accuracy of the data received from the components.\n\nRecommendations\nWe recommend that OFM:\n\n1.\t Complete documentation of OFM\'s comprehensive and thorough root cause analysis and maintain\n    documentation to support that an analysis was performed to identify the underlying causes of the\n    material weakness, with an increased emphasis placed on the issues that contributed to qualifications\n    in the Department\'s FY 2007 financial statements. Each significant control deficiency should have its\n    own MAP.\n\n2.   Improve the MAPs by:\n     a) Expanding the "Root Cause" section of the MAP to adequately describe the significant\n         contributing conditions to the internal control deficiencies, and clearly link (1) the issue(s), (2) the\n         reasons why the control deficiency occurred, and (3) the unique challenges that must be\n         considered in development of an effective corrective action plan. Avoid listing symptoms as root\n         causes.\n     b) Identifying critical interdependencies with other Departmental control deficiencies including\n         deficiencies in other DRS components, or other Federal agencies. Seek input from DRS\n         components, and if necessary obtain input from other Federal agencies, to ensure full\n         consideration of all interdependencies.\n     c)\t Maintaining supporting documentation of the research performed, personnel consulted,\n         supervisory review, and independent corroboration of conclusions.\n\n3.\t Regarding the OHA fmancial accounting and reporting and intragovemmental balances control\n    deficiencies, identify the unique issues affecting parent/child accounting and reporting for OHA\n    transactions, or intragovernmental reconciliations with trading partners, and document specific\n    corrective actions for each control deficiency. The MAP should:\n    a) Include procedures that must be performed by the other Federal agency. These procedures should\n        include the valuation and presentation of assets, liabilities and net position of the funds\n        maintained by the other Federal agency (the "child" agency), that are outside the control of DRS.\n    b) Include procedures that will be performed to resolve material differences in trading partner\n        balances in a timely manner, after they are identified.\n\n4.   The MAPs should address the broader issues affecting the control deficiencies. Consider:\n     a) Policies and procedures to identify new financial accounting and reporting requirements soon\n         after the technical guidance is released, and then develop appropriate accounting processes in\n         response.\n     b)\t Necessary financial management infrastructure whenever new DHS offices, programs, or\n         Directorates are created.\n     c) The financial data and accounting requirements when negotiating interagency or intradepartment\n         agreements, before the execution of the agreement.\n\n\n\n\n                                                       9\n\n\x0cMANAGEMENT RESPONSE\n\nManagement has prepared an official response presented as a separate attachment to this report.\nIn summary, management agreed with our findings and its comments were responsive to our\nrecommendations. We did not audit management\'s response and, accordingly, we express no\nopinion on it.\n\n\n\n\n                                              10\n\x0cKEY DOCUMENTS AND DEFINITIONS\n\nThis section provides key definitions and documents for the purposes of this report.\n\nThe Federal Managers\' Financial Integrity Act (FMFIA) requires that Executive Branch Federal agencies\nestablish and maintain an effective internal control environment according to the standards prescribed by\nthe Comptroller General and specified in the Government Accountability Office\'s (GAO) Standards for\nInternal Control in the Federal Government. In addition, it requires that the heads of agencies to\nannually evaluate and report on the effectiveness of the internal control and financial management\nsystems.\n\nGAO\'s Standards for Internal Control in the Federal Government (Standards) defines internal control as\nan integral component of an organization\'s management that provides reasonable assurance of:\neffectiveness and efficiency of operations, reliability of financial reporting, and compliance with\napplicable laws and regulations.\n\nThe Department of Homeland Security Financial Accountability Act (the DHS FAA) designates the\nDepartment\'s Chief Financial Officer (CFO), under the authority of the Secretary, as the party responsible\nfor the design and implementation of Department-wide internal controls. Furthermore, the DHS FAA\nrequires that a management\'s assertion and an audit opinion of the internal controls over financial\nreporting be included in the Department\'s annual Performance and Accountability Report.\n\nOffice of Management and Budget (OMB) Circular No. A-123, Management\'s Responsibility for\nInternal Control, provides guidance on internal controls and requires agencies and Federal managers to\n1) develop and implement management controls; 2) assess the adequacy of management controls; 3)\nidentify needed improvements; 4) take corresponding corrective action; and 5) report annually on\nmanagement controls. The successful implementation of these requirements facilitates compliance with\nboth FMFIA and the DHS FAA.\n\nOffice of Management and Budget (OMB) Circular No. A-127, Financial Management Systems,\nprescribes policies and standards for executive departments and agencies to follow in developing,\noperating, evaluating, and reporting on financial management systems. The successful implementation\nof these requirements facilitates compliance with both FMFIA and the DHS FAA.\n\nInternal Control DeficienCies - A control deficiency exists when the design or operation of a control\ndoes not allow management or employees, in the normal course of performing their assigned functions,\nto prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or\ncombination of control deficiencies, that adversely affects DRS\' ability to initiate, authorize, record,\nprocess, or report fmancial data reliably in accordance with U.S. generally accepted accounting\nprinciples such that there is more than a remote likelihood that a misstatement of DRS\' financial\nstatements that is more than inconsequential will not be prevented or detected by DRS\' internal control\nover financial reporting. A material weakness is a significant deficiency, or combination of significant\ndeficiencies, that results in more than a remote likelihood that a material misstatement of the fmancial\nstatements will not be prevented or detected by DRS\' internal control.\n\nManagement Directive (MOl 1030, Corrective Action Plans, establishes the "Department\'s vision and\ndirection on the roles and responsibilities for developing, maintaining, reporting, and monitoring MAPs\nspecific to the DHS Financial Accountability Act, FMFIA, and related OMB guidance." In addition to the\nroles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The\n\n\n\n\n                                                    11\n\n\x0corganizational structure detailed m MD 1030 encompasses employees at both the component and\ndepartment levels.\n\nThe Internal Controls Over Financial Reporting (ICOFR) Playbook aCOFR Playbook) was developed\nby the OCFO, Internal Control Program Management Office, to assist the Department in meeting the\nfmancial accountability requirements outlined in the DRS FAA. The ICOFR Playbook outlines the\nDepartment\'s "strategy and process to resolve material weaknesses and build management assurances."\nOn an annual basis, the ICOFR Playbook is updated by the OCFO to enhance its exiting guidance, as\nnecessary, and establish milestones, which will be monitored by the OCFO throughout the year. A\ncomponent of the ICOFR Playbook is MAPs developed by the Department and its components to correct\ninternal control deficiencies.\n\nThe Mission Action Plan Guide. Financial Management Focus Areas Fiscal Year 2008 (MAP Guide)\noutlines the policies and procedures to be used to develop MAPs throughout DRS, pursuant to the roles\nand responsibilities established by the DRS Management Directive (MD) 1030, Corrective Action Plans.\nThe MAP Guide applies to all Department Components and Offices (e.g., OFM) where a control\ndeficiency has been identified. Note non-conformances related to the Federal Information Security\nManagement Act (FISMA), are under the purview of the Department\'s Chief Information Security\nOfficer\'s Plan ofAction and Milestones (POA&M) Process Guide.\n\nElectronic Program Management Office (ePMO) is a Web-based software application the OCFO\ndeployed to manage the collection and reporting of MAP information.\n\nMiss-ion Action Plans (MAPs), as defined in the MAP Guide, are documents prepared to facilitate the\nremediation of internal control deficiencies identified by management or by external parties. MAP\ndocumentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP\nDetailed Report that are required to be submitted to the OCFO through ePMO. Below are brief\ndescriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick\nGuide contained in the MAP Guide:\n\n   \xe2\x80\xa2\t The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency\n      conditions), results of the root cause analysis performed, relevant financial statement assertions\n      affected by the issue, key strategies and performance measures, resources required, an analysis of\n      the risks and impediments as seen by management, verification and validation methods, and the\n      critical milestones to be achieved.\n   \xe2\x80\xa2\t The MAP Detailed Report provides additional data on the milestones, not only on those identified\n      as critical but also those sub-milestones under a critical milestone. For each milestone (critical or\n      sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started,\n      Work in Progress and Completed), and the responsible and assigned parties.\n\nThe Department\'s Annual Financial Report (DRS AFR) was issued on November 15, 2007 and consists\nof the Secretary\'s Message, Management\'s Discussion and Analysis, Financial Statements and Notes, an\nIndependent Auditors\' Report, Major Management Challenges, and other required information. The AFR\nwas prepared pursuant to OMB Circular No. A-136, Financial Reporting Requirements.\n\n\n\n\n                                                   12\n\n\x0c           \xc2\xb7   ,:   .                                               ....   ~   ,.~.   .       .\n\n\n\n\n                                                                   U.S. Department of Homeland Security\n                                                                   Washington. DC 20528\n\n\n\n\n                                        April 10,2008\n\n\nMEMORANDUM FOR:              Richard L. Skinner, Inspector General     r:.IIJ             /\n\n\nFROM:                        David L. Norquist, Chief Financial   off{)lJl/\nSUBJECT:                     Draft Report: Independent Auditor\'s Report on OFM\'s FY 2008\n                             Mission Action Plans\n\n\nThank you for the opportunity to comment on the Draft Report: Independent Auditor\'s Report\non OFM\'s FY 2008 Mission Action Plans. We concur with the report\'s recommendations and\nwe will ensure corrective actions are implemented to respond to the report\'s findings. For\nexample, we have added additional milestones to address issues affecting parent/child accounting\nand reporting for DRS Office of Health Affairs and intragovernmental reconciliations. We look\nforward to continuing our partnership in implementing the DHS Financial Accountability Act.\n\x0cReport Distribution\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nUnder Secretary for Management\nAssistant Secretary for Policy\nAssistant Secretary for Public Affairs\nAssistant Secretary for Legislative Affairs\nChief Financial Officer\nChief Information Officer\nChief Privacy Officer\nDHS GAO/OIG Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriation Committees, as appropriate\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254\xc2\xb74199, fax your request to (202) 254\xc2\xb74305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1\xc2\xb7800\xc2\xb7323\xc2\xb78603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254\xc2\xb74292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector GeneraUMAIL STOP 2600, Attention:\n           Office of Investigations\xc2\xb7 Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'